OASIS SAML Security and Privacy 2.0

From IDESG Wiki
Jump to navigation Jump to search

Title: Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0


Category: Authentication Procotol Specification


Date: 3/15/2005


Creator: OASIS


URL: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf


Description: Provides security and privacy considerations for users of SAML 2.0, including some specific implementation requirements (such as mandatory cryptographic algorithms to be supported) but more extensive discussion of threats and countermeasures to be considered when profiling SAML 2.0.


Privacy: There is discussion of achieving privacy through confidentiality of the transaction and a discussion of pseudonymity. Privacy protections implemented for PII at rest seems to be out of scope.


Security: The threat analysis within explains design choices within SAML or informs the developers of SAML profiles. The document requires SHA-1 with no mention of more robust hash algorithms (SHA-256 etc did not exist in 2005), requires Triple DES and suggests but does not mandate AES.


Interoperability: The document specifies TLS cipher suites that are required to be supported.


Terms:

Retrieved from "https://wiki.idesg.org/index.php?title=OASIS_SAML_Security_and_Privacy_2.0&oldid=4979"